CISA Adds One Known Exploited Vulnerability to Catalog
Summary
CISA has added CVE-2026-48282, an Adobe ColdFusion path traversal vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. This addition reinforces the importance of CISA's Binding Operational Directive (BOD) 26-04, which mandates federal agencies to prioritize the remediation of vulnerabilities listed in the KEV Catalog on publicly exposed assets.
IFF Assessment
The addition of a newly exploited vulnerability to CISA's KEV catalog represents bad news for defenders as it indicates a known risk that is actively being targeted by malicious actors.
Severity
A path traversal vulnerability, especially one that grants total control of an asset post-exploitation, is considered highly severe. While not explicitly stated, a CVSS score in the 9.0 range is a reasonable estimation for such a critical flaw that is actively exploited.
CISA KEV: Listed as actively exploited. Federal patch due: July 10, 2026. Known ransomware use: Unknown.
Defender Context
Defenders must prioritize patching or mitigating CVE-2026-48282, especially on publicly exposed assets, given its inclusion in CISA's KEV Catalog and evidence of active exploitation. Organizations should review their vulnerability management processes to ensure they align with risk-based prioritization strategies as outlined by BOD 26-04, focusing on actively exploited vulnerabilities.